[Emu] TEAP no EAP: which "error" for EAP methods that are not available?
Eliot Lear <lear@lear.ch> Sat, 08 October 2022 07:52 UTC
Return-Path: <lear@lear.ch>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 11483C1524AA for <emu@ietfa.amsl.com>; Sat, 8 Oct 2022 00:52:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, T_SPF_HELO_PERMERROR=0.01, URIBL_BLOCKED=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=lear.ch
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 87v21rDwjaB0 for <emu@ietfa.amsl.com>; Sat, 8 Oct 2022 00:51:56 -0700 (PDT)
Received: from upstairs.ofcourseimright.com (upstairs.ofcourseimright.com [185.32.222.29]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C9AAC1522AD for <emu@ietf.org>; Sat, 8 Oct 2022 00:51:43 -0700 (PDT)
Received: from [192.168.0.130] (77-58-144-232.dclient.hispeed.ch [77.58.144.232]) (authenticated bits=0) by upstairs.ofcourseimright.com (8.15.2/8.15.2/Debian-18) with ESMTPSA id 2987pelP1858993 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO) for <emu@ietf.org>; Sat, 8 Oct 2022 09:51:41 +0200
Authentication-Results: upstairs.ofcourseimright.com; dmarc=none (p=none dis=none) header.from=lear.ch
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=lear.ch; s=upstairs; t=1665215501; bh=mGoOYy+w/AQD7NbjhaTz2fIKqzGFM0F7ueA59Y9U460=; h=Date:To:From:Subject:From; b=C8nuc9EY3y9DEOFwR6iavZvATVAv5XBijyGdg+g2rELh+DUOeD5/tF9i76/xUp8C+ nqAOsDY7JwQLqnbcq92nfUGY0OprbfQtLnWWSHxQvRDXVZ1LBqeswt4b+bwTs8isJT PV7PhQW30gimcc/j8ontCzv8O2NRQfVfSzSEudlk=
Message-ID: <e7b9c59b-d98f-7683-c8aa-a405c1c86c1f@lear.ch>
Date: Sat, 08 Oct 2022 09:51:40 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.13.1
Content-Language: en-US
To: EMU WG <emu@ietf.org>
From: Eliot Lear <lear@lear.ch>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------HjIqssFTw00FBIOQymIH3OJN"
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/dXzlpWojfBJQmlxL_OiyVOSLIew>
Subject: [Emu] TEAP no EAP: which "error" for EAP methods that are not available?
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Oct 2022 07:52:01 -0000
&TL;DR what to do when peer doesn't want to do an inner EAP method, but
you still want to allow peer on the network? My answer:
intermediate-result TLV with status=failure.
One potential use case is when you have some devices that support
individual users and some that do not. In this case, the server might
request an inner EAP method such as MSCHAPv2. This would work fine for
a laptop but not so well for a lightbulb. The server may yet wish to
make a policy decision to allow the lightbulb onto the network, even
though it made use of no inner method. RFC 7170 ponders this use case
in Section 3.3.1:
The result of failure of an EAP method does not
always imply a failure of the overall authentication. If one
authentication method fails, the server may attempt to authenticate
the peer with a different method.
What is less clear is what to do when no EAP method is available. There
are three choices:
1. Send a NAK TLV
2. Send an Error TLV
3. Send an intermediate result TLV with status = failure.
A NAK TLV seems to contemplate TLVs that are simply *not* implemented.
I don't think that's the correct answer, but so long as the server
understands that the peer means "don't send me no stinking EAP TLVs" and
can intelligently apply policy, no big deal. Still, I think that's not
a good general answer. It's possible that both the peer and the server
could implement something like EAP-AKA, but that the server doesn't have
access to the necessary credential information of the client, and may
still want to allow the client online.
Section 3.6.3 states the following about using an Error TLV with an
inner method:
If there is a non-fatal error handling the inner method,
instead of silently dropping the inner method request or response and
not responding, the receiving side SHOULD use an Error TLV with error
code Inner Method Error to indicate an error processing the current
inner method. The side receiving the Error TLV MAY decide to start a
new inner method instead or send back a Result TLV to terminate the
TEAP authentication session.
But this seems to be applicable when the inner method is already
started. Also, this seems to stretch the definition of what an "Error"
is. That militates against the SHOULD above, right?
Finally, the peer could simply respond with an Intermediate-Result-TLV
with Status=Failure. This seems to be the most straightforward way of
responding, and it seems to be what was intended with the text I quoted
from Section 3.3.1. One might want to provide the EAP TLV as an
optional TLV in the Intermediate-Result, but one seemingly cannot
because because the Intermediate-TLV text reads the following in Section
4.2.11:
The TLVs in
this field MUST NOT have the mandatory bit set.
I don't understand this, but there it is. It spares me having to
determine whether one is supposed to include just the TLV code in that
space or the T, L, and V. And this same question recurs with
Request-Action TLVs. Fortunately, in that context it makes more sense
that only the type code is necessary, and this is indeed the practice
that wpa_supplicant has followed.
If it seems to you like we're building up a little bit of an issue list
for a TEAP update.... you'd be right ;-)
Eliot